CVE-2025-66090 identifies a DOM-based Cross-site Scripting (XSS) vulnerability in the SKT Skill Bar plugin developed by sonalsinha21, affecting versions up to and including 2.5. This vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, specifically within the Document Object Model (DOM) context, which allows malicious actors to inject and execute arbitrary JavaScript code in the browsers of users visiting affected websites. The vulnerability is classified as DOM-based XSS, meaning the attack payload is executed as a result of client-side script processing rather than server-side injection. The CVSS 3.1 base score is 6.5, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) reveals that the attack can be performed remotely over the network with low attack complexity, requires low privileges, and some user interaction (such as clicking a crafted link). The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable component, and it impacts confidentiality, integrity, and availability to a limited extent. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. The SKT Skill Bar plugin is commonly used in WordPress environments to display skill bars on websites, and its compromise could lead to session hijacking, theft of sensitive information, or defacement of web content.

For European organizations, the exploitation of this DOM-based XSS vulnerability could lead to several adverse impacts. Attackers could execute malicious scripts in the context of the victim's browser, potentially stealing session cookies, credentials, or other sensitive data, leading to unauthorized access to user accounts or administrative interfaces. This could result in data breaches, reputational damage, and regulatory non-compliance, especially under GDPR requirements. Additionally, attackers might manipulate website content, causing misinformation or defacement, which can erode customer trust. The availability of the affected web services could also be impacted if attackers inject scripts that disrupt normal operations or redirect users to malicious sites. Given the medium severity and the requirement for some user interaction, the risk is moderate but significant enough to warrant immediate attention, particularly for organizations with public-facing websites using the SKT Skill Bar plugin.

1. Monitor for and apply official patches or updates from the sonalsinha21 SKT Skill Bar plugin developers as soon as they are released. 2. In the absence of patches, implement strict input validation and sanitization on all user-supplied data that could be processed by the plugin, focusing on neutralizing characters that could lead to script execution. 3. Employ robust output encoding techniques, especially when inserting dynamic content into the DOM, to prevent script injection. 4. Configure Content Security Policy (CSP) headers to restrict the execution of inline scripts and loading of resources from untrusted sources, thereby reducing the risk of XSS exploitation. 5. Conduct regular security audits and penetration testing focused on client-side vulnerabilities in web applications using this plugin. 6. Educate users and administrators about the risks of clicking on suspicious links that could trigger the XSS payload. 7. Consider temporarily disabling or replacing the SKT Skill Bar plugin with a more secure alternative until a patch is available.